network security layers


Deny by default/allow by exception assumes that all traffic is potentially malicious or at least unwanted or unauthorized. Everything is prohibited by default. As benign, desired, and authorized traffic is identified, an exception rule grants it access to the network.

Allow by default/deny by exception assumes that most traffic is benign. Everything is allowed by default. As malicious, unwanted, or unauthorized traffic is identified, an exception rule blocks it.

Most security experts agree that deny by default/allow by exception is the more secure stance to adopt.

Answer the following question(s):

When would you use allow by default/deny by exception? Provide a rationale for your answer.